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Abstract 

Complex systems often exhibit unexpected faults 
that are difficult to handle. Such systems are de¬ 
sirable to be diagnosable, i.e. faults can be auto¬ 
matically detected as they occur (or shortly after¬ 
wards), enabling the system to handle the fault or 
recover. A system is diagnosable if it is possible 
to detect every fault, in a finite time after they oc¬ 
curred, by only observing the available informa¬ 
tion from the system. Complex systems are usu¬ 
ally built from simpler components running con¬ 
currently. We study how to infer the diagnosabil¬ 
ity property of a complex system (distributed and 
with multiple faults) from a parallelized analysis 
of the diagnosability of each of its components 
synchronizing with fault free versions of the oth¬ 
ers. In this paper we make the following contribu¬ 
tions: (1) we address the diagnosability problem 
of concurrent systems with arbitrary faults occur¬ 
ring freely in each component. (2) We distribute 
the diagnosability analysis and illustrate our ap¬ 
proach with examples. Moreover, (3) we present 
a prototype tool that implements our techniques 
showing promising results. 


1 Introduction 

As systems become larger, their behavior becomes more 
complex. Several things may go wrong, resulting in faults 
occurring. It is then crucially important to design our sys¬ 
tems in a way that we can detect or recover from such faults 
when they occur. A system is diagnosable when its design 
allows the detection of faults, for instance a system that has 
sensors specially dedicated to detect them. Sometimes the 
detection of faults is more involved and the diagnosability 
property is harder to establish, specially in systems with sev¬ 
eral components. 

A sound software engineering rule for building complex 
systems is to divide the whole system in smaller and simpler 
components, each solving a specific task. Moreover, usually 
they are built by different groups of people and may be in 
different places. This means that, in general, complex sys¬ 
tems are actually collections of simpler components running 
in parallel. 
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In order to model such systems and formally 
prove results, there are several formalisms like Fi¬ 
nite State Machines (FSMs) ISampath et al., 1995 


Jiang et al., 2000|, Petri Nets I Gene and Lafortune, 2003 
Madalinski et al., 2010} and Labeled Transition 


Systems (LTSs)_ [|Brandan-Briones et ai, 20081 

Brandan-Briones and Madalinski, 2011| , 

Bonigo and Brandan-Briones, 20121. In this paper, we 
model each component by a LTS, so the whole system 
is a collection of LTSs synchronizing in all their shared 
observable actions (see Section [2}. 

In the diagnosability analysis of distributed systems it is 
usually assumed that a fault can occur in exactly one of the 
different components. We relax this assumption allowing 
the same fault to occur in several components. 

Also, the diagnosability analysis is usually iterative (i.e., 
sequential): the information from local diagnosers is com¬ 
bined until a global verdict is reached. We propose a method 
to distribute this analysis. 

Finally, we developed a tool that implements all 
our research. The DADDY tool (Distributed Analy¬ 
sis for Distributed Discrete sYstems) ]Bonigo, 2012) 
is a prototype based on the results presented 
in [Bonigo and Brandan-Briones, 20121 and this paper. 
The tool does not only implement the method we presents 
but also the classic one allowing us to compare both 
approaches. We present a comparative analysis of their 
performance obtained from the experimental running of 
several examples. 


Related Work Diagnosability was initially developed 
in [[Sam path et al., 1995) under the setting of discrete event 
systems. In that paper, necessary and sufficient conditions 
for testing diagnosability are given. In order to test diagnos¬ 
ability, a special diagnoser is computed, whose complexity 
of construction is shown to be exponential in the number of 
states of the original system, and double exponential in the 
number of faults. Later, in [[Jiang et al., 2000) , an improve¬ 
ment of this algorithm is presented, where the so-called twin 
plant method is introduced and shown to have polynomial 
complexity in the number of states and faults. Afterwards, 
in [ [Schumann and Pencole, 2007| , an improvement to the 
twin plant method is presented where the system is reduced 
before building the twin plant. 

None of the methods presented there (i.e., 
(Sampath et al., 1995} [Jiang et al., 2000| ) con¬ 
sider the problem when the system is com¬ 
posed of components working in parallel. An 
































approach to this consideration is addressed 
in BSchumann and Pencole, 2007[ [Debouk et ai, 20001 
IPencole, 2004[ |Schumann and Huang, 2008| where die 
diagnosability problem is performed by either local di¬ 
agnoses or twin plants communicating with each other, 
directly or through a coordinator, and by that means pooling 
together the observations. I Ye and Dague, 20T2) shows that 
when considering only local observations, diagnosability 
becomes undecidable when the communication between 
component is unobservable. An algorithm is proposed to 
check a sufficient but not necessary condition of diagnos¬ 
ability. However, their results are based in the assumption 
that a fault can only occur in one of the components, an 
assumption that can not always be made. 

Several mechanisms such as interleaving, shared 
variables and handshaking have been described 
in jBaier and Katoen, 20081 1 to provide operational models 
for distributed systems. In the handshaking method, the 
communication is made by the synchronization on actions 
or events. These actions must be specified a priori in the 
model, so the different components can be synchronized at 
execution time. In iBonigo and Brandan-Briones, 20121 the 
authors study how different kinds of synchronizations (via 
all the shared actions, some of them or none) impact in the 
diagnosis analysis. 


Motivation Suppose different groups of people are com¬ 
manded to build different components of a system. Even 
if each component is diagnosable, it is not always 
the case that the resulting system has such propertjlJ. 
In I Bonigo and Brandan-Briones, 20121 the authors show 
that with different kinds of synchronizations, the diagnos¬ 
ability of the global system can not be inferred directly from 
the diagnosability of each component. 

We propose a framework where each component only 
shares with the rest a fault free version of its own, maybe the 
specification of its ideal behavior. Then, each component 
should not only be diagnosable, but also its interaction with 
the fault free version of the others, i.e. its synchronous prod¬ 
uct with fault free version of the other components. There¬ 
fore, our diagnosability analysis can be distributed. 

Paper organization Section [2] presents the formal model 
that we use for modeling each component, the parallel com¬ 
position between them and the notion of diagnosability. In 
Section Q] we develop our analysis method, showing how 
the diagnosability of each component synchronizing with 
fault free versions of the other components influences the 
diagnosability property of the overall system. Section [4] 
presents our tool DADDY and some experimental results. 
We conclude and discuss about future work in Section^ 

2 Diagnosability Analysis 

2.1 Model of the system 

We consider a distributed system composed of two au¬ 
tonomous components Gi, Gn that communicate with each 
other by all their shared observable actions. The local model 
of a component is defined as a Labeled Transition System. 

Definition 1. A Labeled Transition System (LTS) is a tuple 
G = ( Q , E, 6, go) where 

*See for example C, D and C x Din Figures |T| and [2] 


• Q is a finite set of states, 

• E is a finite set of actions, 

• S is a partial transition function, and 

• go the initial state, with go G Q. 

As usual in diagnosability analysis, some of the actions of 
E are observable while the rest are unobservable. Thus the 
set of actions E is partitioned as E = E 0 l±l E uo where E 0 
represents the observable actions and E uo the unobservable 
ones. 

The faults to diagnose are considered unobservable, i.e. 
E_f Q Zuo, as faults that are observable can be easily diag¬ 
nosable. 

As usual in diagnosability analysis, we made the follow¬ 
ing assumptions about our systems. 

Assumption 1. We only consider (live) systems where there 
is a transition defined at each state, i.e. the system cannot 
reach a point at which no action is possible. 

Assumption 2. The system does not contain cycles of un¬ 
observable actions. 

Note that, these assumptions together assure that all our 
systems are free of observation starvation. 






Figure 1: Specification of four components modeled by 
LTSs 

Figure Q] shows four components modeled by the 
LTSs A,B,C and D where o\, 02 , 03 , 04,05 G E 0 and 
u\,U 2 ,U 3 G E uo . The special action / G E^ is the fault 
to be diagnosable. 

A path from state g^ to state qj in G is a sequence g^ • a,; • 
g l+ i... dj-i ■ qj such that (g fc , a k , qu+i) G 6 for i < k < 
j — 1. The set of paths in G is denoted by paths(G). 

The trace associated with any given path consists of its 
sequence of actions (i.e., for a path p = go • ao • gi... a n _ 1 • 
q n we have trace(p) = ao ■ 01 ... a n ). Given a trace, a = 
ao ■ a 1 ... a n , we denote as / G a when there exists i such 
that f = ai. As our systems are live, we only consider 
infinity traces where the infinite repetition of an actions a is 
denoted by a. The set of all traces starting in go is denoted 
by traces (G). As we consider nondeterministic systems, the 
same trace can belong to several paths. The set of possible 
paths of a trace o in G are: path(er) = {p G paths(G) | 
trace(p) = a}. 

The observation of a trace is given by the following defi¬ 
nition. 
























Definition 2. Let a G E*, then 

( e if cr = e 

obs(cr) = < a-obs(cr') if a = a-cr' A aGE 0 

{ obs(a') if a = a-cr’ A a^E 0 

The communication between two components is given by 
their synchronous product where the synchronizing actions 
are all the shared observable ones. 


Definition 3. Given two local components G\ = 
(Q 1 jE 1 ,5 1 , < 7 q) and G 2 = (Q 2 , E 2 , 5 2 , q^), the behavior 
of the global system is given by their synchronous product 
Gi x G 2 = (Q 1 x Q 2 , E 1 U E 2 , d lx2 , 9o)) where <5 lx2 
is defined as follows 

f(5 1 (g-,«),5 2 (g 2 a)) ifaeEjnE^ 
^ lx2 ((9!,9|) J a)=<( < 5 1 (9z 1 >a),g 2 ) if a GE 1 A a^E 2 

[(9i,^ 2 (^,a)) i/a€E 2 Ao^E 1 


Given a path in the global system, we can project it to a 
single component. 

Definition 4. Let p£paths(G 1 XG 2 ), its projection in Gi is 

Pi{{qW)) = <? 


-P l ((9 1 ,9 2 )-a-p') 


q'-a-Pfip') if 3 6 l (q l , a) 

Pi(p ') otherwise 


For a trace in the global system, we define the projections 
to know which actions belong to a certain component. 
Definition 5. Let a be a trace in traces(G± x Gf), cr' is its 
projection in Gi, denoted Pficr) = a', iff 

3 pGpath(o) : trace (Pi(p)) = a' 

Example 1. Let a = O 1 / 03 M 3 O 5 be a trace in traces{C x D) 
from Figure \2j its projection in component C is given by 
Pc (o') = 01/03 and its projection in component D is given 
by Pd{<t) = 01 O 3 U 3 O 5 . These projections are traces of the 
corresponding components C and D from Figure [7] Note 
that projections of an infinite trace from the global system 
can be finite in one of the components. 




Figure 2: Synchronous product of components A, B and 

C, D 

As the projection operator only erases actions in a trace, 
it is easy to see that every fault belonging to a projection of 
such a trace, also belongs to the trace in the global system 
as it is shown by the following result. 

Proposition 1. For every trace <7 in traces{G\ x Gf) with 
Pi (< 7 ) = Oi, we have 

if f G (7i then f G cr 

When two components synchronize in all their shared ac¬ 
tions, if two traces of the global system have the same ob¬ 
servability and we project them to the same component, the 
resulting projections will also have the same observability. 
This result is captured by Proposition^ 


Proposition 2. Given two traces cr and a in traces(G\ x 
Gf) with Pi{cr ) = cr i and Pi(a) = at, we have 

if obs(a) = obs(a) then obs(ai) = obs^af) 

This result is proved by double induction in the structure 
of cr and a. We analyze several cases depending on the ex¬ 
istence of the projections. One of the most critical cases is 
when cr = a-crfa = b-a',a G Ej D E 2 ,butb ^ Ej (T E 2 
as it has several particular sub-cases. Note that this result 
only holds when the synchronization is done in all the set of 
shared actions. 

2.2 Diagnosability condition 

We present now the notion of diagnosability. Informally, a 
fault / G E^ is diagnosable if it is possible to detect, within 
a finite delay, occurrences of such a fault using the record of 
observed actions. In other words, a fault is not diagnosable 
if there exist two infinite paths from the initial state with the 
same infinite sequence of observable actions but only one of 
them contains a fault. 

Definition 6. Let f be a fault in E / is diagnosable in G 

iff 

Vcr, a G traces(G) : ifobs(a) = obs(a) 
and f G cr then f G a 

The system G is diagnosable, denoted by diag(G), if and 
only if every fault f G T,p is diagnosable. 

The previous definition introduced 

in I jBrandan-Briones et al., 20 08| is a reformulation of 
the one presented in (Sampath et al., 1995 1. 

Example 2. Let consider the components A and B from 
Figure\ 7] The only pair of traces in A with the same ob¬ 
servability are of the form fo 3 (one for each branch from 
the initial state), as both traces contain the fault f, system 
A is diagnosable. In the case of B, each obsen’able trace 
corresponds to a unique path, therefore B is diagnosable. 

Now, consider system A x B from Figure [2] we can see 
that every trace contains a fault, therefore A x B is diag¬ 
nosable. On the contrary, in system C x D we have two 
traces, O 2 U 2 O 4 and O 2 /U 2 O 4 that have the same observabil¬ 
ity, but one of them contains a fault and the other does not, 
therefore the system C x D is not diagnosable. 


3 Distributing the diagnosability analysis 

The notion of diagnosability is introduced 
in I Sampath et al, 1995) assuming a centralized archi¬ 
tecture of the system. In order to check the diagnosability 
property in distributed systems, the synchronous product 
of components is computed and such a product is given 
as an input to an algorithm that tests its diagnosability 
(usually based on the twin plant method). The size of such 
a product grows exponentially with respect of the size of 
the components, resulting in an inefficient algorithm. When 
dealing with real applications, such as telecommunication 
networks or power distribution networks, the centralized 
approach is clearly unrealistic because of the size of those 
applications. Moreover, this approach does not exploit the 
fact that such systems are distributed. 

In [Schumann and Pencole, 2007] |Pencole, 200411 the au¬ 
thors distribute the search for non-distinguishable behaviors 
based on local verifiers and local twin plants. The local in¬ 
formation is propagated until a verdict is made or, in the 













worst case, the global system is built. Their result is based 
on the assumption that a fault can occur in exactly one com¬ 
ponent. 

In this section we present a method that allows to de¬ 
cide the diagnosability of a distributed system in terms of 
the diagnosability of each faulty component synchronizing 
with fault free versions of the remaining ones. Basically, 
we compose each component with a fault free version of the 
other components and analyze their diagnosability in paral¬ 
lel. To the best of our knowledge, it is the first method that 
allows to parallelize the diagnosability analysis. 


Algorithm 1 


Require: A LTS G = (Q, E, S , q 0 ) 

Ensure: An /-fault free version of G 
1: Q'~{q 0 },8' := 0 , Q := Q \ {q 0 } 

2: while 3(q',x,q):q'£Q' A (q',x,q)£S A (q',x,q)£6' do 

3: if x 7 ^ / then 

4: Q' := Q' U {<?} 

5 : S' := S' U (q', x, q) 

6: end if 

7: 8 := 6\(q',x,q) 

8: end while 

9: return G f = (Q', E, S', qo) 


For testing the diagnosability of a fault / £ E p in the 
global system, instead of computing the whole composition, 
we consider one component and compose it with the fault 
free versions of the others. These fault free versions may 
be taken as the specification of each component, when pro¬ 
vided, or can be computed by removing the fault / in the 
component using Algorithm Q] and considering such as the 
correct behavior of the system. 




Figure 3: Components A, B,C and D after removing their 
faults 

If we compose a component G, with the fault free version 
of Gj , meaning G' j, clearly the traces of the resulting system 
are those of G, x Gj such that its projections in Gj are fault 
free. 

Proposition 3. Let Gi and Gj be two LTSs, then a £ 
traces[Gi xGj) iff 

cr £ traces(Gi x Gj) A \/aj : Pj(cr) = ctj => / ^ <Jj 

Figure [3] shows components A, B, C and D after remov¬ 
ing fault / and Figure[4]shows them synchronizing with the 
faulty components. 

Example 3. Let us consider the systems from Figured Sys¬ 
tem A f x B is trivially diagnosable. In the case of system 
A x Bf it is easy to see that the observable traces are of 
the form 03 , but all traces containing 03 also contain f and 


O 

/ 
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Figure 4: Composed systems after removing the faults in 
one of the components 


therefore A x B? is also diagnosable. In system Cf x D, 
traces a = O 2 W 2 O 4 and a = 02 / 1*204 have the same ob¬ 
servability, but a contains a fault and ct does not. So, we 
can conclude that Cf x D is not diagnosable. 

The following result states necessary conditions for the 
diagnosability of the global system, i.e. the non diagnosabil¬ 
ity of G{ x G 2 or Gi x G 2 implies the non diagnosability 
of Gi x G 2 . 

Theorem 1. Let G\ and G 2 be two LTSs, then 

diag(Gi x Gf) => diag[G{ x G 2 ) Adiag(Gi x G{) 

Proof. Lets assume that -diagfC'[ x G 2 ), then there ex¬ 
ist two traces a,a £ traces(G{ x G 2 ) and / such that 
obs(a) = obs(a) with f £ a, but f ^ a. We know 
from Proposition [3 that every trace in G{ x G 2 is a trace 
in Gi x G 2 , so we have found two traces of the global sys¬ 
tem with the same observability, one containing a fault and 
the other one not. Therefore (Gi x G 2 ) is non-diagnosable. 
An analogous analysis can be made if ^diag(G | x G{). □ 

Example 4. We see in Example\3\that C? x D is non diag¬ 
nosable. Using Theorem\T\we can conclude that C X D is 
non diagnosable. This result is consistent with the diagnos¬ 
ability analysis made in Example [2] 


As explained above, the idea is to build a diagnosable 
component and to test that its interaction with another fault 
free component is also diagnosable. We can then decide the 















diagnosability of G\ x G 2 in term of the diagnosability of 
G 1 ,G 2 ,G{ x G 2 and Gi x g[. 


Theorem 2. Let G\ and G > be two LTSs, then 

diag(G\) Adiag(Gi x G^) 1 

> =>• diag{G\ x G 2 ) 
diag(G 2 ) A diag(G[ x G 2 ) J 

Proof. Let assume that we have a fault / € Ej? and two 
traces er, a € traces(Gi x G 2 ) with f £ a and obs(a) = 
obs(a), we need to prove that f £ a. Consider the follow¬ 
ing cases: 

1. if cr, a £ traces (Gl{ x Gf) we can prove by (G{ x 
Gj)’ s diagnosability that f £ a and then G\ x G 2 is 
diagnosable, 

2. if a ^ traces(G{ x Gj), using the hypothesis that a £ 
traces(G, x Gj), we can apply Proposition[2and obtain 
that 3ai : Pfa) = on A / £ on. By Proposition [T| 
we know that every fault belonging to a projection also 
belongs to the trace in the global system, then f £ a 
and Gi x G 2 is diagnosable, 

3. if a £ traces (G{ x Gj) and a 0 traces (G{ x Gj) 
we know by Proposition 0 that Vet; : A, (a) = a-, and 
f cm and also that 3cti : Pi {a) = a, with / £ at. As 
obs(a) = obs(a) we have that obs^af) = obs(ai) by 
Proposition^ Finally as Gi is diagnosable and / £ a, 
the fault should belong to oti, leading to a contradic¬ 
tion. We can conclude that Gi x G 2 is diagnosable. 

□ 

Example 5. From Example\2\and Example 0 we know that 
A, B, A? x B and A x B* are diagnosable. If we apply The¬ 
orem |2] we can conclude that A x B is diagnosable, which 
is consistent with the analysis made in Example\2\ 


diag{G\ xG 2 x-xG„) 

4 

A 

diag(Gi x G{ x • • • x G{) A 
diag(G{ x G 2 x • • • x G£) A 

diag(G{ x Gj x • ■ • x G„) 

Theorem 4. Let Gi, G 2 ,..., G„ /?<? n components modeled 
by LTSs, then 

diag{G\) A diag(Gi x G{ x ■ ■ ■ x G£) A 
diag{G 2 ) A diag(G{ x G 2 x • • ■ x G£) A 


diag(G n ) A diag(G{ x G f 2 x ■ ■ ■ x G n ) 

■ -----v--- 

</i'flg(Gi x G 2 x • • • x G„) 


Their proofs can be inferred directly from results that can 
be found in iBonigo and Brandan-Briones, 20121. 

When the faults can occur in every component and G[ x 
G{ x ■■■ x G n Gi x G 2 x x G n , our approach 
shows important advantages, however in the cases where 
G[ x Gj x • • • x G n = Gi x G 2 x • • • x G„ , the whole product 
is analyzed and the computation time of our method is equal 
to the classic one. Nevertheless, when a diagnosability anal¬ 
ysis is performed it is because it is known that several faults 
can occur in different components and it is more likely that 


G{ x G{ x • ■ • x G n is smaller than G\ x G 2 x ■ ■ ■ x G n . 

Moreover, the diagnosability analysis of each component 
and G{ x G.{ x • • ■ x G n can be tested in parallel, allowing 
parallel analysis of diagnosability. 


4 The DADDY tool 


3.1 Generalization 

Until now we only consider systems composed by only two 
components. However, real examples are usually more com¬ 
plex and are composed of several components. Therefore 
we need to generalize the previous results to global systems 
composed of n different components running in parallel. 

In order to generalize all our results, the associativity and 
commutativity property of synchronous product become es¬ 
sential. Note that in a general case the set of synchronizing 
actions is not necessarily the intersection of all their observ¬ 
able actions. Suppose that a system is composed by three 
components, Gi, G 2 and G 3 , where two of them synchro¬ 
nize via an action a that does not belong to a third compo¬ 
nent, i.e. a £ n Tf, but a (jL We expect that G\ and 
G 2 still synchronize in a. Fortunately, despite its apparent 
complications, the synchronous product is associative and 
commutative. The proof of such result can be found in pre¬ 
vious work | |Bonigo and Brandan-Briones, 20121, 

The following results generalized Theorems Q] and [2 re¬ 
spectively, giving necessary and sufficient conditions for the 
diagnosability of the global system. 

Theorem 3. Let G\ , G 2 , ..., G„ be n components modeled 
by LTSs, then 


In the previous section we try to minimize the informa¬ 
tion that components needs to share to be able to decide 
the diagnosability property of the whole system. We now 
present our tool, called DADDY (from Distributed Analy¬ 
sis for distributed Discrete sYstems). DADDY implements 
the method presented above and the classic one (where the 
synchronous product is computed before the diagnosability 
analysis is performed). The tool is written in Python and 
has GNU GPL v3 license. It uses a standard format (.aut) 
for the description of each component and it also allows to 
see a graphical representation of the system. It can be down¬ 
loaded from jBonigo, 2012| |. 

The tool receives as inputs the components of the system. 
These inputs are assumed to be diagnosable, if not, an alert 
message is returned. If the specifications, meaning the non 
faulty components, are not given, systems Gj , for j f i, 

are computed following AlgorithmQ] Hence G;| is synchro¬ 
nized with Gi, and its diagnosability is checked using the 
twin plant method from | |Jiang et al., 2000| . Also, time t ? : of 
such computation is registered. 

As soon as it is known that a component interacting with 
fault free versions of the other ones is non diagnosable, ap¬ 
plying Theorem [2 a non diagnosable verdict is returned. 
Moreover, using the fact that it is a distributed computation, 











System 

Diagnosable 

Our method 

Classic method 

Ax B 

yes 

0.0027251243 

0.0028400421 

0.0028848648 

0.0029160976 

0.0032229423 

0.024051904 

0.023932933 

0.024003028 

0.025793075 

0.023809194 

C x D 

no 

0.0041198730 

0.0040440559 

0.0042178630 

0.0040760040 

0.0047080516 

0.015272855 

0.015629053 

0.015436887 

0.009753942 

0.015598058 


Figure 5: Diagnosis results in seconds unit 


when we find a non diagnosable component, the computa¬ 
tion of all others components can be stopped. So, the result¬ 
ing time of such computation is min(ti) with 1 < i < n. 

On the other hand, if every component interacting with 
the fault free version of the other ones is diagnosable, using 
the assumption that every Gi is diagnosable by its own, we 
can conclude that G i x • • • x G n is diagnosable applying 
Theorem [4] In this case, the diagnosability of every com¬ 
ponent is computed (in parallel) and the required time is 
max(ti) with 1 < i < n. 

We can see in table from Figure 0 that the diagnosabil¬ 
ity analysis results obtained by DADDY are consistent with 
the ones presented in our previous examples. We can also 
see that our method can be almost ten times faster than 
the classical one. If we consider systems n\, 712,713 from 
exaples/sample5 in [ |Bonigo, 2012) , a non diagnosable re¬ 
sult is obtained (as n{ x 712 x is not diagnosable) in 
0.16974902153 seconds with our method while the classi¬ 
cal one does not reach a result after more than 24 hours. 
This shows an important improvement with respect to the 
classical method when the number of components grows. 

5 Conclusions and Future Work 

We have presented a new framework for the distributed di¬ 
agnosability analysis of concurrent systems. We remove the 
assumption that a fault can only occur in a single component 
(which is usually made in distributed systems) and allow to 
analyze more general systems. The method presented in this 
paper parallelized the analysis leading, in general, to an im¬ 
portant reduction in the computing time. The theoretical 
results are illustrated by several examples and supported by 
experimental results obtained with the DADDY tool. 

We plan to continue trying to keep reducing the system 
in order to obtain minimal components from which we can 
infer the diagnosability of the original global system. In 
addition, we intend to relax the assumption that the commu¬ 
nicating (synchronizing) events are observable. 

Furthermore, even if the framework presented in this 
paper allows the distribution of the analysis, the formalism 
to model the systems is still sequential (product of LTSs) 
and can suffer of state space explosion making the twin 
plant method to check its diagnosability still prohibitive. 
We are working to extend such analysis to concurrent 
models such as Petri Nets. 
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